Splunk Search

calculating values in new rows/columns and appending based on values in existing rows/columns

HattrickNZ
Motivator

I have something like this in the stats view in splunk.

field   NE1 NE1-L   NE2 NE2-1   field-alt
KPI1    30251   125000  22761   126000  KPI1-alt
KPI2    8809    38000   5875    38000   KPI2-alt
KPI3    212130  300000  229172  300000  KPI3-alt
KPI4    107965  160000  111798  160000  KPI4-alt
KPI5    83045   100000  42984   60000   KPI5-alt
KPI6    83229   100000  43081   60000   KPI6-alt

the query is rather long and contrived and looks something like:

index=core host=... | 
stats  ... | untable userLabel field value | xyseries field userLabel value | 
appendcols [
search index=core ... | 
stats max| 
untable subname field value | 
xyseries field subname value | 
rename field as field1 | 
]

What I want to do is add further columns to the right that are basically doing a arithmetic operation on the values in the row/columns to the left, giving something like:

field   NE1 NE1-L   NE2 NE2-1   field-alt   field2      filed3
KPI1    30251   125000  22761   126000  KPI1-alt    NE1/NE1-L   NE2/NE2-L
KPI2    8809    38000   5875    38000   KPI2-alt    NE1/NE1-L   NE2/NE2-L
KPI3    212130  300000  229172  300000  KPI3-alt    NE1/NE1-L   NE2/NE2-L
KPI4    107965  160000  111798  160000  KPI4-alt    NE1/NE1-L   NE2/NE2-L
KPI5    83045   100000  42984   60000   KPI5-alt    NE1/NE1-L   NE2/NE2-L
KPI6    83229   100000  43081   60000   KPI6-alt    NE1/NE1-L   NE2/NE2-L

How Can I achieve this?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can add this to the end of your search:

... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'

Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L from NE1... try not using fields that contain operators in their name to ease further computing.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can add this to the end of your search:

... | eval field2 = NE1/'NE1-L' | eval field3 = NE2/'NE2-L'

Note, you have to single-quote fields that contain a minus sign to avoid Splunk trying to subtract L from NE1... try not using fields that contain operators in their name to ease further computing.

HattrickNZ
Motivator

tks too easy 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...